If that is the only ouput that you are getting from viewing the ipsec SAs then there are problems with your phase 2 tunnels. There is only an active tunnel for one of the hub networks.
Based on the info that you have posted your ACL looks consistent so it may be a configuration error on the other side. I would check that the ACLs on the other side match exactly and its not something that says...
allow anything from 172.27.241.96/27 to 18.104.22.168/8 (or similar broad statement). Make sure they reflect the hub acls exactly (but in reverse) as I have seen similar problems in the past.
What if you initiate traffic from the other hub networks to the spoke network? Does the SA get created??
thanks for idea. After a weeek of testing, I came to fact, that Vigor 2700 is probably able to hold only one IPSEC SA between two hosts - when IPSEC SA between 172.27.241.96/27 (spoke) and 172.27.0.0/16 (hub) was established and we needed to encrypt packet to 192.168.0.0/16, the IPSEC SA was dropped and new one between 172.27.241.96/27 and 192.168.0.0/16 was established.
After some other testing I changed Local LANs to 172.27.241.96/27 (spoke) and 0.0.0.0/0 (hub) and statically routed necessary traffic to IPSEC tunnel on Vigor and it started to work.